From "Penelope Phelps"The sender's name, company and "Security-ID" vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script that looks like this. This Malwr report and this Hybrid Analysis show this particular sample downloading from:
Date Tue, 26 Jul 2016 23:02:43 +1100
Subject list of activities
Hello,
Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.
Warm regards,
Penelope Phelps
ALLIED MINDS LTD
Security-ID: 4d2c95a750fe26a3560ffddfe374ff5c5c064bd78fea30
akva-sarat.nichost.ru/bokkdolx
There will be many other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55. Further analysis is pending, however it is quite likely that this sample uses the same C2 servers as seen earlier today.
No comments:
Post a Comment